Let me know if you think I got anything wrong. If you were one of the people
whose names I missed, by all means let me know. If you want to discuss anything
that was said, do *not* reply to this message, but use a new thread.
--Paul Hoffman
IPsecME WG
IETF 83, Paris
Monday, March 26, 2012
Minutes taken by Paul Hoffman
Text from the slides is not reproduced here
See https://datatracker.ietf.org/meeting/83/materials.html#wg-ipsecme
Agenda was bashed, no additional issues
WG status
Last IETF was just an informal meeting
One current doc: P2P VPN use cases and requirements doc
We know that protocols are already out there, but that doesn't matter
now
P2P VPN problem statement doc
Steve Hanna
draft-ietf-ipsecme-p2p-vpn-problem-00
Need a new name for the protocol
Current draft is use cases only, will get to requirements soon
# 210
Postponed until after we have all the requirements
# 211
Add some new text about why this is difficult
Will know more when we do the requirements
# 212
Give examples of why gateway-to-gateway might be useful
Two branch offices, videoconferencing
Paul Hoffman: this is why we postponed 210
People were thinking that the topic was only
individual-to-individual
Naming issue started restricting what we were talking
about
# 213
Need to mention challenges in use cases section
Paul: reminded that there will be a separate requirement section
# 214
Core gateway configuring is a solution, so premature
Also in #213
# 215
Should be a requirement
Michael Richardson: must be a requirement
We don't have all the tunnels pre-configured, so we
need to deal with flowing traffic
You can't pre-configure because of capacity issues on
the gateway
Steve: does this need to be a use case because it is so
fundamental?
David Black: VoIP isn't the only traffic on the Internet
Is OK with dropping a packet sometimes
Tero Kivinen: This will be needed after you notice that you
need it, when packets are flowing
Steve: Mention in use cases that packet loss is highly
undesirable, but add it more in the requirements
Brian Weiss: Nervous about talking too much about voice
(?): Not saying that no packets should be lost, but (?)
Michael: Voice packets also being late is bad
Might have a policy to only use this for media, not for
regular data
# 216
Solution-specific or requirement
Tero: Is there a use case where the end point moves from
outside the gateway to inside
Paul: Mobility is a use case, but not just for multiple
interfaces
Steve: Either a new use case, or within the existing ones
# 217
Requirement: it's a "how", not a use case
David: Authorization is out of scope
# 218
Explain that this doesn't scale in 3.1.
Tero: It is also proprietary and can't be interoperable
Brian: We can push out configs if needed
Paul: Remember the massive failure of the IPS WG
Also issue with NATs if the endpoint hasn't talked first
# 219
People don't need to use this if they don't want to
Say this in the security considerations
Yoav Nir:
Has to be a requirement that any solution can implement
different policies
Yaron Sheffer:
Agrees with Yoav, maybe becomes a use case
Take this to the list
# 220
Deleted paragraph
# 221
Add text, proprietary approaches don't always implement all of
the IPsec architecture
Paul: wants a name that is properly descriptive, maybe also creative
Next steps
Steve will issue new I-D with new name
Spend April writing requirements
Then ask people to propose solutions
Yaron: Requirements go in this draft in a different section
Paul: Wants to see "the right amount" of interaction on this
document
We have no idea if existing solutions will meet
requirements because the requirements section is blank
May have some proposed solutions befor Vancouver
More raw public keys
Tero
draft-kivinen-ipsecme-oob-pubkey-00.txt
Similar to what is happening TLS WG
If we adopt this, what do we do with the old format?
Michael: Should say, don't be silent
Yaron: Needs to be Standards Track
Paul: We need to discuss this on the mailing list even if it is not a
WG document
Brian: The document doesn't describe the encoding of the keys
Paul: It comes from PKIX SubjectPublicKeyInfo definition
ERP for IKEv2
Yoav
draft-nir-ipsecme-erx
Minor change to protocol so that you don't have to renegotiate when you
move around
Doesn't deal with multiple AAA domains
Will be on the list
IANA Issue in IKEv1 ipsec-registry
Tero
Everything is a mess
Will ask on the list, silence means that he can go ahead
Use of config payload for 3GPP and Femtocell
Tricci So
draft-so-ipsecme-ikev2-cpext-01
Femto is on many technologies, not just 3GPP
Fixed wireline operator needs to apply a policy to the Femto device
Need to know the location of the Fembto AP, based on IP address
Reuses Config payload to let SG pass back the address
Tero: This is the completely wrong way to do this
It's not config information, and it can't be trusted
Maybe use an SNMP MIB instead
(?): Also thought this is the wrong thing to do
Paul: Not clear the process is, but it should be discussed more on the
mailing list
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
